Matunda Nyanchamahttp://aganoconsulting.com
Sun, 18 Feb 2018 04:53:14 +0000Joomla! - Open Source Content Managementen-gbKenya: A Rough Ride towards a Knowledge Economyhttp://aganoconsulting.com/news-opinions/opinions/item/8-kenya-a-rough-ride-towards-a-knowledge-economy
http://aganoconsulting.com/news-opinions/opinions/item/8-kenya-a-rough-ride-towards-a-knowledge-economyclick here for a pdf version of this article. On January 17th, 2012 Kenyans woke up to news of desecration of a number of government websites. A hacker has taken liberty to expose the weaknesses in the security of government systems, reportedly after a short tutorial. The hacker, coming from Indonesia, later even thanked Kenyan technical news sources for effectively covering the story of the hack!

Soon the blogosphere was aflame with concerned, animated Kenyans and friends of Kenya as to how this would happen. They seemed even angrier considering the very basic nature of flaws that led to the security breaches. It is as if an untrained mechanic has been used to overhaul a car engine only for the engine to be fouled by the most amateur of mechanics.

This needs to be a wakeup call to all Kenyans, and especially those in leadership, to put in place solid processes, people and technology in defense of the motherland.

Kenya, the nation of M-PESA and other upcoming innovations, has taken major strides into the information age. Today, the country is perhaps one of the best wired on the African continent, what with a number of submarine cables that have docked on the Kenyan coast recently These, in turn, have availed cheap bandwidth and high-speed access both into and outside the country. There is a growing tech-savvy young generation perhaps best epitomized by growth of use of social media such as facebook and twitter. Even the Kenya Defense Forces communications realizes the power of such media and has made it an outlet for updates of such things as the war in Somalia!

The government on the other hand has led an onslaught on Internet providers to avail bandwidth at affordable prices. This would lower entry barriers and allow for equitable access by mwananchi who would reap attendant benefits.

These benefits are many and varied, including electronic commerce (e.g. being able to transact on the Internet), and government and private sector service delivery among others. Properly harnessed, connectivity can spur productivity, enhance effectiveness and generate economic growth. It is noteworthy that the Ministry of Information and Communications has targeted a 10% contribution to the country’s Gross National Product (GDP). .

…

At the launch of the first sub-marine cable Kenya lit cyberspace with substantial malicious activity as noted by leading security product company Symantec. It was akin to shining light into the darkest corner in a house where nobody had cared to clean!

In many respects, lack of high speed Internet connectivity had left the country as a safe haven where we could deploy systems without worrying whether they were secured or not. System owners didn’t have to incur added costs of security because of low risk of being hacked as the systems were largely out of reach for many a hacker on the Internet.

High speed Internet changed all this for, suddenly, a computer deployed in Nairobi can easily and quickly be reached by someone with high speed connectivity anywhere in the world. High speed Internet also means we can run more complex applications faster than we could do before such bandwidth came.

We need to realize that our commendable foray into the superhighway, presents its own risks that we appear not to be prepared for. These perils include the potential for unauthorized people to steal, alter or make unreachable information on computers that are not properly secured.

Stolen sensitive information can cause harm to the nation, business and individuals. Further risks include embarrassment in the face of the world and loss of reputation. It will not be a coincidence if, with the spread of the story on the Internet, we hear more of the same in subsequent copycat acts.

More risks are associated with fixing any security violations and damage caused by hackers.

When systems are hacked, the extent of loss can be immense not simply to companies or governments but also to countries and its nationals.

…

With the end of the cold war, cyberspace has become the new frontier for combat. Thus, we hear of information warfare between perceived adversaries intended for various objectives, including espionage, embarrassing target enemies and a means of staying ahead of the opponent.

The new cyber frontier has made industrial espionage easier than it was before. Why travel to distant countries seeking information from rival companies when one can “hit” several countries from a single location, targeting intended victims with a lapse in cyber defences? All one needs is some expect knowledge, exploit code and a gap in security on target systems.

In national warfare, we can take a contemporary example from our country’s foray into Somalia in search of Al Shabaab terrorists. The country is at war! And these would do anything to hurt the country and her people. They already bombed public places in Kenya, causing major damage, including taking lives.

Just imagine the Al Shabaab getting hold of information about our armed forces’ movements and attack plans! Picture further were the group able to alter the information and what subsequent confusion would ensue to well-laid out plans! And suppose further that they able to jam information access to make it impossible to communicate!

There is more!

Imagine through cyber violations they were able to track (say) the path of key security and government personnel, even the country’s leadership.

In the private sector, Kenyan banks have seen escalating losses lately. They suspect these are associated with increased use of technology. It is possible that some of these losses could be due to Internet-related security violations due hackers, be they in or outside Kenya.

…

All countries take seriously the risks associated with information protection. And they do so for many good reasons, including warding off information warfare and protecting the national economy.

On the economic front thinkers suggest that future economic competitiveness will be determined by how well countries use knowledge for advantage. Those that fully exploit knowledge, taking full advantage of the same, would have a competitive edge.

Knowledge is a creation from information which in turn is generated from data. It means that those that faithfully collect data, use methodical approaches to generate information and knowledge out of the date will stay ahead.

Therefore it is important that that information be accurate and authentic, that it be accessible to only those that need it and be available when required. Inaccurate data would generate false information and hence lead to misplaced decisions. Stolen information can give a competitor an edge.

Information protection remains a challenge to all countries, including developed ones. As one blogger mentioned, even some of the best protected systems like those of the US Department of Defence have been violated on more than one occasion. It is also conventional knowledge that most violations are never reported hence what we learn of may be a tip of the iceberg in cyber violations.

It is also true that no system can be 100% secure. An analogy is that of a house whose doors must be open to its residents for the house to be useful. Yet the same doors provide a vulnerability that could be exploited by burglars.

…

These facts should not deter action on information protection. The fact that others (and especially advanced countries) are also violated remains cold comfort for Kenya when it faces the embarrassment and potential negative impact from the desecrations of the kind reported in the press.

The practice of information protection has substantially matured. All the country and its private sector need is to take the matter seriously. Indeed, the country is lucky that it can learn from the mistakes of others whose experiences now form the body of knowledge for best practices.

At the very least an entity (a company or government) must establish what needs to be protected based on some security policy. The policy sets out governance and associated accountabilities in realizing security of the information. As well the entity must employ some best practice standards applicable to the practice of information protection and implement clear guidelines that realize the security of the information.

All people working for the entity must be trained to understand their roles in ensuring security of information. This starts with leadership, followed by everyone else. The required training must be commensurate with the roles of the people. It follows that technical people that install and maintain systems must have deep technical knowledge of security of the systems.

Like any live systems and processes, system s must be continually audited and any exposures fixed in a timely manner. Indeed, there must be ongoing monitoring for security violations (regardless of their magnitude and impact) and with necessary appropriate response. Incident management processes must be part of the security DNA of any enterprise.

For systems of interest to the public, a communication plan is always necessary. It is important that entities (be they public or private) continually keep stakeholders informed of breaches and assure the stakeholders that things are under control.

…

All this will not happen in a vacuum and required leadership. Today, our government has no designate information protection czar. Few companies have established the role of chief information security officer.

This leader would be a person with mandate for protection of an entity’s (government or private company) information assets. This leader would ensure there is a framework that assures the protection of information, with proper processes, and trained people assigned appropriate responsibilities; the right people in the right place.

…

The Internet presents opportunities for government and private sector in Kenya. The country landed cables even as it was not prepared for consequences of such connectivity. For instance, no information protection framework was in place. Information protection leadership is yet to be established, which leaves a situation where we have technical and non-technical players in the Internet space that are not prepared. It is akin to sending an untrained person to drive on the super highway, oblivious of rules of the road.

It isn’t too late but the urgency of the matter suggests prompt action.

NB: as reported by “The Star”, a Nairobi Newspaper Banks have been urged to invest in converged governance, risk and compliance functions to save them on major losses in the future especially loss and theft of data and fraud. At the ongoing AITEC Banking conference in Nairobi, participants heard that banks do not yet view these functions as well as information security as strategic investments.

Instead, the costs associated with say setting up a biometric system are seen as too high and better invested elsewhere. Dr. Matunda Nyanchama, a Canada-based consultant, gave the example of Canadian banks that came out of the global financial crisis unscathed because of stringent governance and compliance systems. “Regulation (in Canada) is done to a ‘T’,” Nyanchama said. “When the crisis came, the nation was saved.”

Eric Lusaka, a governance, risk and compliance consultant at PWC Kenya said these related functions tend to be muddled up or lumped together when they should be separately defined. In some organizations, compliance is placed together with risk while in others it is found in a legal and compliance department.

Yet compliance should be used to stringently enforce rules and regulations that should be followed when assessing credit risk and information security. “When problems arise each side says you are responsible,” Lusaka said. Hesham Hamdy, Chief Risk Officer of Arab International Bank of Egypt said such roles should be well defined. “It is better to segregate the duties. The functions are different,” Hamdy said. “I cannot head compliance and audit.” Hamdy said the roles sometimes overlap but that should be seen as an advantage.

Lusaka of PWC advised that banks use an umbrella model that converges information from these different functions together to avoid duplication of duties and the existence of contradicting information about the same issues in one bank. For example, the risk department may have different sets of risks from the Information Security department. Lusaka also identified information security as one area banks have yet to address fully. “Information Security is treated not as a strategic investment but as something nice to do,” said Lusaka. “Something as biometrics is seen as too expensive.”

]]>info@aganoconsulting.com (Matunda Nyanchama)Business News & ReportsMon, 26 Jan 2015 07:06:05 +0000Information Security in Kenya – Some Thoughtshttp://aganoconsulting.com/news-opinions/opinions/item/6-information-security-in-kenya-some-thoughts
http://aganoconsulting.com/news-opinions/opinions/item/6-information-security-in-kenya-some-thoughtsA few days ago the Kenyan Defense Force (KDF) twitter handle was compromised and taken over by hackers. The same happened to the twitter handle of KDF spokesman, Major Emmanuel Chirchir.

Those familiar with the two accounts obviously noticed the change in tone in the updates, inconsistent as they were with traditional expectations from the KDF and its spokesman.

By the time of writing this article, it was not clear whether the Kenyan authorities had regained control of the two accounts.

It is not the first time that hackers have embarrassed the government of Kenya. A few years ago, several government websites were hacked.

That said, these are the cases that we know of; cases that make it to the media. What goes unreported may be much more!

In the private sector, a recent news report suggested Kenyan banks had lost in excess of Ksh 600 million in two months. An earlier report in July 2014 estimated annual bank losses, due to poor information protection, to be in excess of Ksh 5 billion. Previously reports put the figure in the range of Ksh 1.5 – 2.5 billion. Some say these are conservative figures as a lot goes unreported.

Nonetheless, these are staggering losses and someone (usually the customer) gets to pay for.

Kenya has embraced use of technology in its affairs. We have seen the phenomenal use of cell phones and with it services that ride on the technology infrastructure. M-pesa, which has revolutionized the mobile money space, is perhaps the most successful of services riding on the technology infrastructure.

The country has also seen a rise in the number of incubation hubs for business suggesting there is no shortage of talent. Indeed, many young people aspire to make that next “killer app” that would revolutionize how we do things and enrich them in the process.

As we embrace technology, however, it is important that we realize that nothing comes without risk. To realize the full potential of any invention one must weigh the gains and risks associated to realizing those gains. Managing risks appropriately assures realization of optimal gains.

At the core of technology risks is information security. Without appropriate protection of information and the underlying infrastructure, an entity can pay dearly with respect to its investment.

Unmitigated risks obviously lead to losses, which can be material as in the cases of banks mentioned above. It could also be reputational harm, leading to loss of confidence and trust.

For example, messages from KDF and its spokesperson may lose their full weight if the source cannot be trusted. In financial services, customers may opt for alternative means of transacting if they lose confidence in the banking system.

As we invest and embrace technology, therefore, we need to invest commensurately in associated risk management. In this case, we need to invest in information security.

As an information security practitioner of many years, I have observed the following in my day to day interaction with those in the same business in Kenya:

Breaches Are Not Taken As Seriously as Should be the Case

In general, our people don’t appear to take seriously breaches of the kind illustrated above. They seem to treat such happenings as if they are “small irritants” that do not impact their businesses!

Yet the reputational loss of a government institution whose systems have been compromised can be far-reaching. Indeed, we may not know the extent of damage caused by the hackers in the case of twitter hacks of KDF and its spokesperson. What is clear is that any future updates from those two twitter accounts will be taken with a pinch of salt till such time as confidence is restored!

For the private sector (and banks especially) they could simply underwrite these losses by passing them to the consumer. A small marginal variation in interest rates can recoup losses of the magnitude mentioned! That sector, as financial services become more competitive information protection may offer competitive advantage.

Insufficient Information Security Skills Base to Tackle Challenges

As a country we need to make the conscious decision to invest in the space of technology management, and especially technology risk management, information security being one of these. Starting with policy to education and certification programmes, the country needs to put in concerted efforts to develop needed skills in this area in order to tackle/forestall looming problems. Inevitably, material and reputational losses will be substantially higher than they are today.

With such skills tasked with challenges we face today, we would design, implement and continually monitor and respond to incidents based on best practices. (Note: there are no guarantees that one won’t be hacked but one can minimize such damage (reputation, loss/modification of information, etc.) with timely, appropriate response.

Lack of Leadership

The country seriously needs leadership in the technology risk space, both in public and private sectors; if there exists any, it is not felt. Such leadership would be evangelistic in nature pushing for appreciation of technology risks and how to deal with them. Such awareness would raise concern and thus assure allocation of commensurate resources (people, financing, technology, etc.) to confront the problem.

My experience in North America tells me that (in Kenya and Africa, in general) this area is very much underfunded and whatever little funding comes through would be spent on easy to acquire things like CCTV … some installed without requisite processes, skills, etc. and not assuring maximum return on investment.

Security by Obscurity

Many technology managers (and many others in management) treat information security with obscurity. They keep things obscure and profess security. I once was in a discussion with a senior official in government and heard things such as: we cannot disclose what measures we have taken to protect government information because the same can be used by you people to target us! He failed to appreciate that you can still be hacked with use of known reconnaissance approaches.

If we are serious (especially in government) to address this matter, let’s get some of our top talent, give them security clearance and challenge them to build robust systems that assure security.

A friend recently gave the story of a manager (a protégé of top management) that kept his job, protected by his benefactors but who many knew wasn’t performing. This manager could continually avoid bringing in talent that might help him build robust systems fearing that such talent may also expose his failings! Only when the organization was hit and top management was embarrassed with loss (material, reputational) did they hire an external consultant whose report exposed the manager’s fraud that he had perpetuated for many years! … long story short, he was given a soft landing, and slowly eased out of the organization.

Lesson to managers and decision-makers: get the right talent, skills and experience for the job if indeed you are committed to delivering in your mandate. The matter of awarding jobs and/or contracts based on connections rather than merit does come back to bite over time; it can be costly to you and your organization.

Poor/Weak Compliance Regime

The country has an extremely weak compliance regime. Two examples.

In government, the Auditor General’s main focus is on financial audit as in the case reported recently is Kshs 327 billion unaccounted for. In its most mature stage, audits would be assessing comprehensively what would hamper the attainment of set objectives of (say) government departments and other state entities. … the office of Auditor General has hardly the capacity to deliver such comprehensive audit, and especially as it relates to technology, its specification, acquisition, deployment, management, and disposal and assessing associated risks accordingly.

In the private sector, take the example of banks. The regulator (the Central Bank of Kenya) routinely seeks compliance as a condition for being licensed and has a fairly standard compliance regime for the purpose. The fact is that the depth compliance assessment and verification with respect to technology is largely wanting! It is often the case that financial institutions file required documents whose content is hardly tested for verification of compliance. … the country has plenty of work to do in this space.

Conclusion

Let’s remember that technology, its embrace and use presents risks. Key among these are information security risks which need to be understood and mitigated in order to minimize damage. As a nation, we need to invest in the knowledge, expertise and experience in this area. Only then can we avoid inevitable losses be they material or reputational. Who knows whether proper management of this space can lead to a drop (however marginal) in the interest rate?

Dr Matunda Nyanchama is a Director and Managing Consultant at Agano Consulting Inc., an ICT services firm with offices in Canada and Kenya.

]]>info@aganoconsulting.com (Matunda Nyanchama)OpinionsMon, 26 Jan 2015 06:58:20 +0000Information Security – Hacker Motivationhttp://aganoconsulting.com/news-opinions/opinions/item/5-information-security-hacker-motivation
http://aganoconsulting.com/news-opinions/opinions/item/5-information-security-hacker-motivationReports indicate that Deputy President (DP) William Ruto’s twitter account has been compromised. This comes hardly two days after twitter accounts of the Kenya Defense Force (KDF) and that of its spokesman, Major Emmanuel Chirchir we compromised.

It appears that it is the same group of hackers involved in both cases and clearly targeting the government. Indeed, using the DP’s twitter handle, the hackers posted a series of government sites that they had hacked. While we may not know the extent of damage inflicted, the embarrassment factor is big enough to require immediate and urgent action on the part of government.

In social media, some people have expressed glee that these unlawful acts and are happy that the Jubilee government is being subjected to shame. As a “digital government”, some said, Jubilee should be better prepared to deal with such risks, adding that the government’s rhetoric doesn’t match reality.

Whatever anyone thinks, all of us Kenyans should feel bad that such high-level exposure is happening to key national offices in the country. This is especially so when the country faces the monumental task in securing the country. The least we should do as citizens (whether allied to the government or opposition) is empathize and hope that the government would put in rapid measures to restore normalcy and trust that it can forestall further cyber challenges of the kind we have seen.

If there is anything to learn from these incidents it is that time is nigh for rapid implementation of information protection measures! Information security needs to be prioritized as a matter of urgency. It is important that we prioritize attention in this area so as to forestall similar (and perhaps worse) happenings.

Let’s remember that these hackers are not going away. We must expect that there will be continuous attempts at breaking into systems (be they government or private sector) by the large mass of hackers out there. Some would be copycat attacks while others would be fresh exploration of weaknesses of our systems accessible over the Internet.

The hacker menace (whether internal or external to an organization) is real and is here to stay. The best we can do is be prepared to prevent, detect and respond to (deal with) the threat when it materializes. Indeed, the realistic course is make it as hard as one possibly make it for hackers to break into systems.

There is more. There is no absolute security regardless of the amount of resources dedicated to system protection. A well-motivated hacker with an infinite resources (e.g. time and money) will break into a system however secure the system is deemed.

We will be discussing protection techniques in the future. Before that, however, we need to understand what motivates hackers and why they continue to be a menace.

Hacking has been around as long as computers existed. The menace has grown with the proliferation of the Internet and the Internet’s pervasive use. As the Internet reach grows, so also does the hacker threat. This is especially so given ease with which hackers, located in disparate locations, can collaborate and share attack techniques.

Hackers are people who usually intrude into computer systems and manipulate these systems for their own ends. They are motivated by different interests, including the following:

Thrill for personal satisfaction

These are people who hack for the sake of hacking. They derive satisfaction from breaking into systems, for the fun the challenge the challenge presents and are motivated by anything other than the prize: breaking into systems. Some would then later brag about their escapades to their underground “communities” and in the process gain “respect” among their peers.

One can imagine the hackers in the recent Kenyan hacks bragging about how they embarrassed our forces and the Deputy President of the nation! Quite, some “respect” it would earn these intruders.

“Service to the Community”

These break into systems believing that exposing flaws in the systems is good for the community. Clearly they enjoy their thrill but also understand that once a flaw has been exposed, the people concerned will fix it and thus leave society better off. There was once a story of a kid who broke into a bank, created an accounted and planted a malicious program that, on a nightly basis deducted small amounts of money from all the accounts and deposited the amounts in an account he created. Later, it is said, he presented the evidence to the bank management. And he hadn’t withdrawn a cent from the large amount of money he had accumulated.

Now suppose that the hackers in the Kenyan cases intended “service to community”, they would rest easy that the government has woken up to the reality of exposure they face.

Motivated by Malice

Despite the above, my reading is that the people that hacked KDF and DP’s accounts were driven by malice. Even if they many not have gained access to sensitive KDF and DP information, the embarrassment in government ranks and across the country is palpable. As a result, some may question KDF’s ability to protect us when they cannot protect, as simple a thing as a twitter account. For the DP, the question I have had posed is: how could such a BIG office (with all the resources at its disposal) be so sloppy in the management of the DP’s communication channels.

Malicious hackers usually do a number of things once they enter a computer.

They may steal and (possibly) disclose sensitive information to unauthorized parties. For example, suppose such hackers gained access to the KDF’s battle strategy and plans. This would be treasure in the hands of an enemy.

Now suppose that they proceeded to modify the plans and which plans are then transmitted to the battle field. The consequences could be dire and those in the field could be acting on modified information. Indeed, suppose the hacker had ability to interfere with the timely and accurate transmission of such information! They would clearly hamper execution of battle plans to the detriment of KDF!

The term Information Warfare is becoming common place. This is where the theatre of war extends to cyberspace. Here hackers (working for parties in combat) target enemy targets in order to gain advantage in the field. A few years ago, Iranian nuclear facilities were infected by the stuxnet virus that paralyzed its nuclear centrifuges, clearly hampering the development of its nuclear program!

In the commercial arena the world is becoming more and more competitive. Whoever stays ahead in terms of research and development, and translating the information to products and services could stay ahead economically. Now suppose the malicious hacker gets hold of such intellectual property!

Industrial espionage is a reality today, whether by foreign or local parties.

In a recent case, systems of a large retail chain in North America (Target) were compromised. The hackers gained access to the company’s customer base, including credit card information. Such information could be used for malicious purposes including credit card fraud. While the impact on the retail chain hasn’t been quantified, clearly it suffered substantial brand image and (perhaps) to the advantage of its competitors.

Final words: pervasive technology use requires clear understanding of information protection needs. These include developing strategies, policies, deployment and operation needs to assure systems protection. Of necessity these needs would encompass aspects of people, processes and technology.

Dr Matunda Nyanchama is a Director and Managing Consultant at Agano Consulting Inc., an ICT services firm with offices in Canada and Kenya. He can be reached at mnyanchama@aganoconsulting.com.

OUTSOURCING TO AFRICA: A Relative Ranking of 15 Country Locations This is a Commonwealth Business Council (CBC) study of 15 countries resulting in a ranking of their relative readiness. Criteria used include infrastructure, people/skills and business environment. Below is an extract from the report from the report’s overview: “Egypt turns out as the most attractive location in Africa. Egypt will have strong competition from all the others in the infrastructure ready band as all are working hard to improve. Egypt has an edge because ICT is supported and believed in by the leadership and all actions are coordinated. Further with…

Unique mobile subscriber numbers are poised to hit 525 million mark in the year 2020 in Sub-Saharan Africa (SSA) according to a recent report from GSM Alliance. It is projected that actual connections will be 975 million. It is projected that mobile penetration rate will hit 49% across the region by the year 2020.

This represents an annual compound growth rate of 7% per year and makes SSA the fastest growing region with respect to mobile communications.

The mobile communications sector is a major contributor to the economy employing more than 2.4 million people directly and indirectly creating more than 3.7 million jobs. It is also a major source of tax revenue (approximately U$13 billion annually) for governments. It further generates license and spectrum auction fees for the regulatory agencies across Africa.

Between 2014 and 2014 the sector is expected to contribute up to 6.2% (or U$104 billion) up from 5.2% (or U$75 billion) of the region’s GDP in 2013.

On other hand, operators are expected to inject a total of U$97 billion in capital spending between 2014 and 2020 as they modernize their infrastructure and increase coverage. Infrastructure modernization would be extended rollout of 4G networks, which in turn is expected to see adoption of advanced devices to take advantage of 4G capabilities. It is projected that 40% of all mobile devices will be smartphones. The equivalent figure today is 5.1%.

The sector continues to witness innovation. There is expected to be increased activity in the licensing of Mobile Virtual Network Operators (MVNOs). The coming of thin SIM technology would also deliver substantial value added services to the sector.

The report also suggests that policy changes and tax regime adjustments can spur further growth.